準備將目錄同步處理至 Microsoft 365Prepare for directory synchronization to Microsoft 365

本文適用於 Microsoft 365 企業版和 Office 365 企業版。This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

組織的混合式身分識別與目錄同步處理帶來的好處包括:The benefits to hybrid identity and directory synchronization your organization include:

  • 減少組織中的系統管理程式Reducing the administrative programs in your organization
  • 選擇性啟用單一登入案例Optionally enabling single sign-on scenario
  • 自動化 Microsoft 365 中的帳戶變更Automating account changes in Microsoft 365

如需使用目錄同步處理之優點的詳細資訊,請參閱 混合身分識別搭配 Azure Active directory (AZURE AD) Microsoft 365 的混合身分識別For more information about the advantages of using directory synchronization, see hybrid identity with Azure Active Directory (Azure AD) and hybrid identity for Microsoft 365.

不過,目錄同步處理需要規劃及準備,以確保您的 Active Directory 網域服務 (AD DS) 同步處理至您的 Microsoft 365 訂閱的 Azure AD 租使用者,但錯誤最低。However, directory synchronization requires planning and preparation to ensure that your Active Directory Domain Services (AD DS) synchronizes to the Azure AD tenant of your Microsoft 365 subscription with a minimum of errors.

請遵循下列步驟,以取得最佳結果。Follow these steps in order for the best results.

1. 目錄清理任務1. Directory cleanup tasks

將 AD DS 同步處理到 Azure AD 租使用者之前,您需要清理您的 AD DS。Before you synchronize your AD DS to your Azure AD tenant, you need to clean up your AD DS.

重要

若您在同步處理之前未執行 AD DS 清除,則可能會對部署程式造成嚴重的負面影響。If you don't perform AD DS cleanup before you synchronize, it can lead to a significant negative impact on the deployment process. 可能需要數天甚至數周才能完成目錄同步處理的週期、識別錯誤,以及重新同步處理。It might take days, or even weeks, to go through the cycle of directory synchronization, identifying errors, and re-synchronization.

在您的 AD DS 中,針對每個將指派 Microsoft 365 授權的使用者帳戶,完成下列清理工作:In your AD DS, complete the following clean-up tasks for each user account that will be assigned a Microsoft 365 license:

  1. 請確定 proxyAddresses 屬性中有有效且唯一的電子郵件地址。Ensure a valid and unique email address in the proxyAddresses attribute.

  2. 移除 proxyAddresses 屬性中的任何重複值。Remove any duplicate values in the proxyAddresses attribute.

  3. 如果可能的話,請確認使用者 使用者 物件中 userPrincipalName 屬性的有效且唯一的值。If possible, ensure a valid and unique value for the userPrincipalName attribute in the user's user object. 為了獲得最佳同步處理體驗,請確定 AD DS UPN 符合 Azure AD UPN。For the best synchronization experience, ensure that the AD DS UPN matches the Azure AD UPN. 如果使用者沒有 userPrincipalName 屬性的值,則 user 物件必須包含 sAMAccountName 屬性的有效且唯一的值。If a user does not have a value for the userPrincipalName attribute, then the user object must contain a valid and unique value for the sAMAccountName attribute. 移除 userPrincipalName 屬性中的任何重複值。Remove any duplicate values in the userPrincipalName attribute.

  4. 為 (GAL) 的全域通訊清單的最佳使用,請確定 AD DS 使用者帳戶的下列屬性資訊正確:For optimal use of the global address list (GAL), ensure the information in the following attributes of the AD DS user account is correct:

    • givenNamegivenName
    • surname
    • displayNamedisplayName
    • 職稱Job Title
    • 部門Department
    • 辦公室Office
    • 辦公室電話Office Phone
    • 行動電話Mobile Phone
    • 傳真號碼Fax Number
    • 街道地址Street Address
    • 城市City
    • 州/省State or Province
    • 郵遞區號Zip or Postal Code
    • 國家或地區Country or Region

2. 目錄物件和屬性準備2. Directory object and attribute preparation

在您的 AD DS 和 Microsoft 365 間成功的目錄同步處理,需要您的 AD DS 屬性已正確準備。Successful directory synchronization between your AD DS and Microsoft 365 requires that your AD DS attributes are properly prepared. 例如,您必須確定特定的字元沒有用於與 Microsoft 365 環境同步處理的某些屬性。For example, you need to ensure that specific characters aren't used in certain attributes that are synchronized with the Microsoft 365 environment. 非預期的字元不會造成目錄同步處理失敗,但可能會傳回警告。Unexpected characters do not cause directory synchronization to fail but might return a warning. 不正確字元會導致目錄同步處理失敗。Invalid characters will cause directory synchronization to fail.

如果某些 AD DS 使用者有一個或多個重複的屬性,目錄同步處理也會失敗。Directory synchronization will also fail if some of your AD DS users have one or more duplicate attributes. 每個使用者都必須有唯一的屬性。Each user must have unique attributes.

您需要準備的屬性如下所列:The attributes that you need to prepare are listed here:

  • #a1displayName

    • 如果屬性存在於使用者物件中,則會與 Microsoft 365 同步處理。If the attribute exists in the user object, it will be synchronized with Microsoft 365.
    • 如果此屬性存在於使用者物件中,則必須有一個值。If this attribute exists in the user object, there must be a value for it. 也就是說,屬性必須不是空白的。That is, the attribute must not be blank.
    • 字元數上限:256Maximum number of characters: 256
  • givenNamegivenName

    • 如果屬性存在於使用者物件中,則會與 Microsoft 365 同步處理,但是 Microsoft 365 不需要或使用它。If the attribute exists in the user object, it will be synchronized with Microsoft 365, but Microsoft 365 does not require or use it.
    • 字元數上限:64Maximum number of characters: 64
  • mailmail

    • 屬性值在目錄中必須是唯一的。The attribute value must be unique within the directory.

      注意

      如果有重複的值,則會同步處理第一個具有值的使用者。If there are duplicate values, the first user with the value is synchronized. 後續的使用者將不會出現在 Microsoft 365 中。Subsequent users will not appear in Microsoft 365. 您必須修改 Microsoft 365 中的值,或修改 AD DS 中的兩個值,這兩個使用者才能出現在 Microsoft 365 中。You must modify either the value in Microsoft 365 or modify both of the values in AD DS in order for both users to appear in Microsoft 365.

  • mailNickname (Exchange 別名) mailNickname (Exchange alias)

    • 屬性值不得以句點 ( 開頭。 ) 。The attribute value cannot begin with a period (.).

    • 屬性值在目錄中必須是唯一的。The attribute value must be unique within the directory.

      注意

      在同步處理名稱中 ( "" ) 會指出此屬性的原始值包含不正確字元。Underscores ("") in the synchronized name indicates that the original value of this attribute contains invalid characters. 如需此屬性的詳細資訊,請參閱 Exchange alias 屬性For more information on this attribute, see Exchange alias attribute.

  • proxyAddressesproxyAddresses

    • 多重值屬性Multiple-value attribute

    • 每個值的字元數上限:256Maximum number of characters per value: 256

    • 屬性值不能包含空格。The attribute value must not contain a space.

    • 屬性值在目錄中必須是唯一的。The attribute value must be unique within the directory.

    • 無效字元: < > ( ) ;,[] "'Invalid characters: < > ( ) ; , [ ] " '

      請注意,不正確字元會套用到類型分隔符號後的字元和 ":",因此允許 SMTP:User@contso.com,但 SMTP:user:M@contoso.com 不是。Note that the invalid characters apply to the characters following the type delimiter and ":", such that SMTP:User@contso.com is allowed, but SMTP:user:M@contoso.com is not.

      重要

      所有的簡易郵件傳輸通訊協定 (SMTP) 位址應該符合電子郵件訊息標準。All Simple Mail Transport Protocol (SMTP) addresses should comply with email messaging standards. 移除重複或有害的位址(如果有的話)。Remove duplicate or unwanted addresses if they exist.

  • sAMAccountNamesAMAccountName

    • 字元數上限:20Maximum number of characters: 20
    • 屬性值在目錄中必須是唯一的。The attribute value must be unique within the directory.
    • 無效字元: [\ "|,/: < > + =;?Invalid characters: [ \ " | , / : < > + = ; ? * ']* ']
    • 如果使用者的 sAMAccountName 屬性無效,但是具有有效的 userPrincipalName 屬性,則會在 Microsoft 365 中建立使用者帳戶。If a user has an invalid sAMAccountName attribute but has a valid userPrincipalName attribute, the user account is created in Microsoft 365.
    • 如果 sAMAccountNameuserPrincipalName 都無效,則必須更新 AD DS userPrincipalName 屬性。If both sAMAccountName and userPrincipalName are invalid, the AD DS userPrincipalName attribute must be updated.
  • sn (姓) sn (surname)

    • 如果屬性存在於使用者物件中,則會與 Microsoft 365 同步處理,但是 Microsoft 365 不需要或使用它。If the attribute exists in the user object, it will be synchronized with Microsoft 365, but Microsoft 365 does not require or use it.
  • targetAddresstargetAddress

    需要 targetAddress 屬性 (例如,為使用者填入的 SMTP:tom@contoso.com) 必須出現在 MICROSOFT 365 GAL 中。It's required that the targetAddress attribute (for example, SMTP:tom@contoso.com) that's populated for the user must appear in the Microsoft 365 GAL. 在協力廠商郵件遷移案例中,這需要 AD DS 的 Microsoft 365 架構擴充。In third-party messaging migration scenarios, this would require the Microsoft 365 schema extension for the AD DS. Microsoft 365 架構擴充也會新增其他有用的屬性,以管理從 AD DS 使用目錄同步處理工具填入的 Microsoft 365 物件。The Microsoft 365 schema extension would also add other useful attributes to manage Microsoft 365 objects that are populated by using a directory synchronization tool from AD DS. 例如,將會新增用以管理隱藏信箱或通訊群組的 msExchHideFromAddressLists 屬性。For example, the msExchHideFromAddressLists attribute to manage hidden mailboxes or distribution groups would be added.

    • 字元數上限:256Maximum number of characters: 256
    • 屬性值不能包含空格。The attribute value must not contain a space.
    • 屬性值在目錄中必須是唯一的。The attribute value must be unique within the directory.
    • 無效字元: \ < > ( ) ;,[] "Invalid characters: \ < > ( ) ; , [ ] "
    • 所有的簡易郵件傳輸通訊協定 (SMTP) 位址應該符合電子郵件訊息標準。All Simple Mail Transport Protocol (SMTP) addresses should comply with email messaging standards.
  • userPrincipalNameuserPrincipalName

    • UserPrincipalName 屬性必須是網際網路樣式的登入格式,其中使用者名稱後面接 @ 符號 ( @ ) 和功能變數名稱:例如,user@contoso.com。The userPrincipalName attribute must be in the Internet-style sign-in format where the user name is followed by the at sign (@) and a domain name: for example, user@contoso.com. 所有的簡易郵件傳輸通訊協定 (SMTP) 位址應該符合電子郵件訊息標準。All Simple Mail Transport Protocol (SMTP) addresses should comply with email messaging standards.
    • UserPrincipalName 屬性的字元數上限為113。The maximum number of characters for the userPrincipalName attribute is 113. 在 sign ( @ ) 之前和之後均可使用特定的字元數,如下所示:A specific number of characters are permitted before and after the at sign (@), as follows:
    • 在 sign ( @ ) 前面的使用者名稱字元數上限:64Maximum number of characters for the username that is in front of the at sign (@): 64
    • At 符號 ( @ ) 所遵循的功能變數名稱字元數上限:48Maximum number of characters for the domain name following the at sign (@): 48
    • 無效字元: % & * +/=?Invalid characters: \ % & * + / = ? { } | < > ( ) ; : , [ ] "{ } | < > ( ) ; : , [ ] "
    • 允許的字元: A–Z,a-z,0–9,'。Characters allowed: A – Z, a - z, 0 – 9, ' . - _ !- _ ! # ^ ~# ^ ~
    • 具有變音符的字母(例如,母音或重音)和否定符號,都是不正確字元。Letters with diacritical marks, such as umlauts, accents, and tildes, are invalid characters.
    • 每個 userPrincipalName 值都需要 @ 字元。The @ character is required in each userPrincipalName value.
    • 每個 userPrincipalName 值中不能是 @ 字元的第一個字元。The @ character cannot be the first character in each userPrincipalName value.
    • 使用者名稱不得以句點 ( ) 、& 符號 (&) 、空格或 at 符號 ( @ ) 。The username cannot end with a period (.), an ampersand (&), a space, or an at sign (@).
    • 使用者名稱不得包含任何空格。The username cannot contain any spaces.
    • 必須使用可路由的網域;例如,不能使用本機或內部網域。Routable domains must be used; for example, local or internal domains cannot be used.
    • Unicode 會轉換成底線字元。Unicode is converted to underscore characters.
    • userPrincipalName 不能包含目錄中的任何重複值。userPrincipalName cannot contain any duplicate values in the directory.

3. 準備 userPrincipalName 屬性3. Prepare the userPrincipalName attribute

Active Directory 的設計目的是讓您組織中的使用者可以使用 sAMAccountNameuserPrincipalName 登入您的目錄。Active Directory is designed to allow the end users in your organization to sign in to your directory by using either sAMAccountName or userPrincipalName. 同樣地,使用者可以使用使用者主要名稱 (其工作或學校帳戶的 UPN) 登入 Microsoft 365。Similarly, end users can sign in to Microsoft 365 by using the user principal name (UPN) of their work or school account. 目錄同步處理嘗試使用 AD DS 中的同一個 UPN,在 Azure Active Directory 中建立新的使用者。Directory synchronization attempts to create new users in Azure Active Directory by using the same UPN that's in your AD DS. UPN 的格式就像電子郵件地址。The UPN is formatted like an email address.

在 Microsoft 365 中,UPN 是用來產生電子郵件地址的預設屬性。In Microsoft 365, the UPN is the default attribute that's used to generate the email address. 在 AD DS 和 Azure AD) 中取得 userPrincipalName (很容易,將 proxyAddresses 中的主要電子郵件地址設定為不同的值。It's easy to get userPrincipalName (in AD DS and in Azure AD) and the primary email address in proxyAddresses set to different values. 當其設定為不同值時,系統管理員和使用者可能會混淆。When they are set to different values, there can be confusion for administrators and end users.

最好對齊這些屬性,以降低混淆。It's best to align these attributes to reduce confusion. 為了符合使用 Active Directory Federation Services (AD FS) 2.0 的單一登入需求,您必須確定 Azure Active Directory 和您的 AD DS 中的 Upn 相符,且使用有效的網域命名空間。To meet the requirements of single sign-on with Active Directory Federation Services (AD FS) 2.0, you need to ensure that the UPNs in Azure Active Directory and your AD DS match and are using a valid domain namespace.

4. 將替代的 UPN 尾碼新增至 AD DS4. Add an alternative UPN suffix to AD DS

您可能需要新增其他 UPN 尾碼,以將使用者的公司認證與 Microsoft 365 環境產生關聯。You may need to add an alternative UPN suffix to associate the user's corporate credentials with the Microsoft 365 environment. UPN 尾碼是 @ 字元右側的 UPN 部分。A UPN suffix is the part of a UPN to the right of the @ character. 用於單一登入的 UPN 可包含字母、數字、句號、虛線和底線,但不得包含其他字元類型。UPNs that are used for single sign-on can contain letters, numbers, periods, dashes, and underscores, but no other types of characters.

如需如何將其他 UPN 尾碼新增至 Active Directory 的詳細資訊,請參閱 Prepare for 目錄同步處理。For more information on how to add an alternative UPN suffix to Active Directory, see Prepare for directory synchronization.

5. 搭配使用 Microsoft 365 UPN 的 AD DS UPN5. Match the AD DS UPN with the Microsoft 365 UPN

如果您已設定目錄同步處理,則 Microsoft 365 的使用者 UPN 可能不會符合您在 AD DS 中定義的使用者 AD DS UPN。If you've already set up directory synchronization, the user's UPN for Microsoft 365 may not match the user's AD DS UPN that's defined in your AD DS. 若使用者在網域經過驗證之前即獲得指派授權,就可能發生這種情形。This can occur when a user was assigned a license before the domain was verified. 若要修正此問題,請使用 PowerShell 修正重複的 upn 以更新使用者的 upn,以確保 MICROSOFT 365 UPN 符合公司使用者名稱和網域。To fix this, use PowerShell to fix duplicate UPN to update the user's UPN to ensure that the Microsoft 365 UPN matches the corporate user name and domain. 若要在 AD DS 中更新 UPN,並想要與 Azure Active Directory 身分識別同步,您必須先在 Microsoft 365 中移除使用者的授權,然後才能在 AD DS 中進行變更。If you are updating the UPN in the AD DS and would like it to synchronize with the Azure Active Directory identity, you need to remove the user's license in Microsoft 365 prior to making the changes in AD DS.

另請參閱 how to prepare a 不可路由的網域 (例如,directory 同步處理的 local domain) Also see How to prepare a non-routable domain (such as .local domain) for directory synchronization.

後續步驟Next steps

如果您已完成上述步驟1到5,請參閱 設定目錄同步處理。If you have done steps 1 through 5 above, see Set up directory synchronization.